Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202004-13: git: information disclosure

    Date
    206
    Posted By

    The package git before version 2.26.1-1 is vulnerable to information disclosure.

    Arch Linux Security Advisory ASA-202004-13
    ==========================================
    
    Severity: High
    Date    : 2020-04-14
    CVE-ID  : CVE-2020-5260
    Package : git
    Type    : information disclosure
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-1133
    
    Summary
    =======
    
    The package git before version 2.26.1-1 is vulnerable to information
    disclosure.
    
    Resolution
    ==========
    
    Upgrade to 2.26.1-1.
    
    # pacman -Syu "git>=2.26.1-1"
    
    The problem has been fixed upstream in version 2.26.1.
    
    Workaround
    ==========
    
    The most complete workaround is to disable credential helpers
    altogether:
    
      git config --unset credential.helper
      git config --global --unset credential.helper
      git config --system --unset credential.helper
    
    An alternative is to avoid malicious URLs:
    1. Examine the hostname and username portion of URLs fed to git clone
    for the presence of encoded newlines (%0a) or evidence of credential-
    protocol injections (e.g., host=github.com)
    2. Avoid using submodules with untrusted repositories (don't use clone
    --recurse-submodules; use git submodule update only after examining the
    URLs found in .gitmodules)
    3. Avoid tools which may run git clone on untrusted URLs under the hood
    
    Description
    ===========
    
    Affected versions of Git have a vulnerability whereby Git can be
    tricked into sending private credentials to a host controlled by an
    attacker. Git uses external "credential helper" programs to store and
    retrieve passwords or other credentials from secure storage provided by
    the operating system. Specially-crafted URLs that contain an encoded
    newline can inject unintended values into the credential helper
    protocol stream, causing the credential helper to retrieve the password
    for one server (e.g., good.example.com) for an HTTP request being made
    to another server (e.g., evil.example.com), resulting in credentials
    for the former being sent to the latter. There are no restrictions on
    the relationship between the two, meaning that an attacker can craft a
    URL that will present stored credentials for any host to a host of
    their choosing.
    The vulnerability can be triggered by feeding a malicious URL to git
    clone. However, the affected URLs look rather suspicious; the likely
    vector would be through systems which automatically clone URLs not
    visible to the user, such as Git submodules, or package systems built
    around Git. The problem has been patched in the versions published on
    April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the
    change further can do so by applying commit 9a6bbee (the full release
    includes extra checks for git fsck, but that commit is sufficient to
    protect clients against the vulnerability). The patched versions are:
    2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3,
    2.26.1.
    
    Impact
    ======
    
    A remote attacker could trick Git into returning credential information
    for a wrong host by providing a malicious URL.
    
    References
    ==========
    
    https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
    https://lore.kernel.org/git/This email address is being protected from spambots. You need JavaScript enabled to view it./
    https://git.kernel.org/pub/scm/git/git.git/commit/?id=9a6bbee8006c24b46a85d29e7b38cfa79e9ab21b
    https://git.kernel.org/pub/scm/git/git.git/commit/?id=c716fe4bd917e013bf376a678b3a924447777b2d
    https://git.kernel.org/pub/scm/git/git.git/commit/?id=07259e74ec1237c836874342c65650bdee8a3993
    https://bugs.chromium.org/p/project-zero/issues/detail?id=2021
    https://security.archlinux.org/CVE-2020-5260
    
    

    LinuxSecurity Poll

    Which aspect of server security are you most interested in learning more about?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/38-which-aspect-of-server-security-are-you-most-interested-in-learning-more-about?task=poll.vote&format=json
    38
    radio
    [{"id":"131","title":"Preventing information leakage","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"132","title":"Firewall considerations","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"133","title":"Permissions ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.